Strongswan을 사용하여 VPN에 연결하는 데 문제가 있습니다. 무엇이 나를 막고 있나요?

tag-icon tag-icon network-manager
Strongswan을 사용하여 VPN에 연결하는 데 문제가 있습니다. 무엇이 나를 막고 있나요?

Strongswan 네트워크 관리자를 사용하여 회사의 VPN에 연결하려고 했습니다. 나는 무엇이 잘못되고 있는지 전혀 모른다. 제가 보기에는 인증 후 연결을 설정하지 못한 것 같습니다.

우분투 22.04.1을 사용하고 있습니다.

Aug 19 10:24:05 bumpusbox NetworkManager[711]: <info>  [1660929845.1405] audit: op="connection-activate" uuid="16404d0f-b19b-4af9-9e44-7a596c8d3892" name="jimsFishyBusiness vpn" pid=2006 uid=1000 result="success"
Aug 19 10:24:05 bumpusbox charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.5)
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] providers loaded by OpenSSL: legacy default
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] created TUN device: tun0
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <info>  [1660929845.1503] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/10)
Aug 19 10:24:05 bumpusbox systemd-udevd[67536]: Using default interface naming scheme 'v249'.
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 19 10:24:05 bumpusbox charon-nm: 00[JOB] spawning 16 worker threads
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for 169.254.0.0/16
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for 172.17.0.0/16
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for 192.168.0.0/24
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for ::1/128
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for fe80::/64
Aug 19 10:24:05 bumpusbox charon-nm: 06[CFG] received initiate for NetworkManager connection jimsFishyBusiness vpn
Aug 19 10:24:05 bumpusbox charon-nm: 06[CFG] using gateway identity '9.999.999.999'
Aug 19 10:24:05 bumpusbox charon-nm: 06[IKE] initiating IKE_SA jimsFishyBusiness vpn[1] to 9.999.999.999
Aug 19 10:24:05 bumpusbox charon-nm: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 19 10:24:05 bumpusbox charon-nm: 06[NET] sending packet: from 192.168.0.223[36581] to 9.999.999.999[500] (904 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 13[NET] received packet: from 9.999.999.999[500] to 192.168.0.223[36581] (38 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 13[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 19 10:24:05 bumpusbox charon-nm: 13[IKE] peer didn't accept DH group CURVE_25519, it requested ECP_256
Aug 19 10:24:05 bumpusbox charon-nm: 13[IKE] initiating IKE_SA jimsFishyBusiness vpn[1] to 9.999.999.999
Aug 19 10:24:05 bumpusbox charon-nm: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 19 10:24:05 bumpusbox charon-nm: 13[NET] sending packet: from 192.168.0.223[36581] to 9.999.999.999[500] (936 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 14[NET] received packet: from 9.999.999.999[500] to 192.168.0.223[36581] (270 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 19 10:24:05 bumpusbox charon-nm: 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] local host is behind NAT, sending keep alives
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] remote host is behind NAT
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] sending cert request for "CN=VPN root CA"
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] establishing CHILD_SA jimsFishyBusiness vpn{1}
Aug 19 10:24:05 bumpusbox charon-nm: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 19 10:24:05 bumpusbox charon-nm: 14[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (416 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 15[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (1236 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 15[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Aug 19 10:24:05 bumpusbox charon-nm: 15[ENC] received fragment #1 of 2, waiting for complete IKE message
Aug 19 10:24:05 bumpusbox charon-nm: 01[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (788 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1952 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 01[IKE] received end entity cert "CN=9.999.999.999"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG]   using certificate "CN=9.999.999.999"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG]   using trusted ca certificate "CN=VPN root CA"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] checking certificate status of "CN=9.999.999.999"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] certificate status is not available
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG]   reached self-signed root ca with a path length of 0
Aug 19 10:24:05 bumpusbox charon-nm: 01[IKE] authentication of '9.999.999.999' with RSA_EMSA_PKCS1_SHA2_384 successful
Aug 19 10:24:05 bumpusbox charon-nm: 01[IKE] server requested EAP_MSCHAPV2 authentication (id 0xD1)
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 01[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (144 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 04[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (144 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 04[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 04[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Aug 19 10:24:05 bumpusbox charon-nm: 04[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 04[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 08[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 08[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Aug 19 10:24:05 bumpusbox charon-nm: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Aug 19 10:24:05 bumpusbox charon-nm: 08[IKE] authentication of 'myuser' (myself) with EAP
Aug 19 10:24:05 bumpusbox charon-nm: 08[ENC] generating IKE_AUTH request 4 [ AUTH ]
Aug 19 10:24:05 bumpusbox charon-nm: 08[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (96 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 09[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (128 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 09[ENC] parsed IKE_AUTH response 4 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] authentication of '9.999.999.999' with EAP successful
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] IKE_SA jimsFishyBusiness vpn[1] established between 192.168.0.223[myuser]...9.999.999.999[9.999.999.999]
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] scheduling rekeying in 35530s
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] maximum IKE_SA lifetime 36130s
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <warn>  [1660929845.8775] vpn[0x55b4cab76220,16404d0f-b19b-4af9-9e44-7a596c8d3892,"jimsFishyBusiness vpn"]: dbus: failure: connect-failed (1)
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] received FAILED_CP_REQUIRED notify, no CHILD_SA built
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <warn>  [1660929845.8776] vpn[0x55b4cab76220,16404d0f-b19b-4af9-9e44-7a596c8d3892,"jimsFishyBusiness vpn"]: dbus: failure: connect-failed (1)
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] peer supports MOBIKE
Aug 19 10:24:05 bumpusbox charon-nm: 10[IKE] deleting IKE_SA jimsFishyBusiness vpn[1] between 192.168.0.223[myuser]...9.999.999.999[9.999.999.999]
Aug 19 10:24:05 bumpusbox charon-nm: 10[IKE] sending DELETE for IKE_SA jimsFishyBusiness vpn[1]
Aug 19 10:24:05 bumpusbox charon-nm: 10[ENC] generating INFORMATIONAL request 5 [ D ]
Aug 19 10:24:05 bumpusbox charon-nm: 10[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 11[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 11[ENC] parsed INFORMATIONAL response 5 [ ]
Aug 19 10:24:05 bumpusbox charon-nm: 11[IKE] IKE_SA deleted```

답변1

아직 해결책을 찾지 못하셨다면, 저도 비슷한 문제가 있어서 문제를 해결했습니다. 내 솔루션은 업데이트 섹션에 설명된 대로 끝났습니다.이 질문.

특히 Strongswan VPN 연결이 작동 중이었지만 Ubuntu 22.04 LTS로 업데이트한 후 연결 작동이 중지되었습니다. 해결책은 다음과 같습니다.

  1. 열려 있는/etc/NetworkManager/system-connections/<VPN_Name>
  2. [vpn] 섹션에서 이라는 줄을 찾으세요 proposal=no. 다음으로 변경하세요.yes
  3. 그 아래에 한 줄을 추가하세요.esp=aes256-sha256-ecp384

해당 특정 솔루션은 연결된 질문의 포스터에는 효과가 없는 것 같았지만 나에게는 효과가 있었고 내 상황은 귀하의 상황과 더 유사했습니다. 이것이 누군가에게 도움이 되기를 바랍니다!

답변2

제가 설정을 제대로 못했어요. 내부 IP 주소 요청 옵션을 확인해야 했습니다.

관련 정보